--- begin forwarded text From: "John Hemming - CEO MarketNet" <JohnHemming@mkn.co.uk> Date: Thu, 17 Aug 1995 08:39:37 AM PDT To: www-buyinfo@allegra.att.com Mime-Version: 1.0 Subject: 309,485,009,821,345,068,724,781,056 Like .. er ... a big number maan. "SSL" has not been cracked "EXPORT SSL" has been cracked. Then if someone in the next few years can crack SSL with a confidential master key of 128 bits with 2^88 as many required key checks (say half the keyspace at 2^87 as our mate Damien did) then that will be a much bigger story. Then again it was not me floating last week .... In the mean time we encounter the usual inane US government's export restrictions. Can someone put in a word for me please ... Please Please Please Mr Clinton .... keep those export regulations It gives people like myself a major commercial lead in provision of encryption software. So what can we do. Well not being a very trusting soul at times I tried out sending the 01 (SSL 128 bit confidential) message to an export Netscape browser and lo and behold it came up with a cipher conflict. Well that would have been an easy way out. Realistically my internal browser is almost at beta test level and we will put cipher 01 in our selection of ciphers as well as cipher 2. We will also make available our browser to link securely to our servers. If anyone outside US/CA wants work done to bring their systems up to 128 bit confidential ciphers please email jane@jhc.co.uk (JHC plc - JHC Internet Services - yes it does mean John Hemming & Co) In the mean time: My credit card number is 5434 8012 0900 2563 expires 3/97 My name is John A M Hemming My address is 15, Chantry Road, Moseley, Birmingham B13 8DL Who loses if you use that: Firstly, I now have to check my credit card statements for items that are not mine. This will be a pain, but it makes a point clear. Secondly, if you use it you will be breaking the law. Thirdly, when the merchant has to refund up to 6 months of trading turnover on any duff orders the merchant will be seriously upset. My name and address are a matter of public record in the UK. I have only made the job easier by putting all of the information in one place. The card number and expiry date are available in any one of a number of places. (As a City Councillor in Birmingham my address has to be available to the public). 1. Export SSL is good enough for credit card numbers. 2. My bank account is protected by export SSL (I mean that you need to crack export SSL to look at the balances) Alternatively you can phone up the bank and pretend to be the police/head office/inland revenue and ask them. 3. Export SSL or even import SSL is not good enough for entering into contracts. Digital signatures are needed for that. In the mean time ..... I have managed to implement PGP into my workhorse program (which is gradually coming up to beta standard). It seems interoperable with the PGP.exe file in Europe. (As long as you keep the message reasonably short) This allows two interesting additions <A HREF="mailto:abc@def.com"> has been extended to <A HREF="mailto:abc@def.com" PGPKEY="abcddbdb etc"> When you click on that it does a mailto, but also loads the PGP key (public key and userid packets). The program saves both the plaintext and encrypted version and then mails out the encrypted version. The PGP key packet has to have the same email address as that in the mailto otherwise the program will freak. see http://mkn.co.uk/ Which uses that. Similarly <FORM HREF="mailto:banana@orange.com" PGPKEY="asdfj"> allows the encryption of a form before it is mailed. I do have a test form somewhere try the pages in http://mkn.co.uk/help+dir+test\*.* This is quite a nice solid way of ensuring high level encryption for passing around confidential information from forms. Sadly the program that does it ftp://193.119.26.70/mktnet/pub/horse.zip is still a little flaky. Once I have finished off getting 128 bit confidential SSL built into my program I shall be putting in the extensions for electronic cheques (probably today or tomorrow, but I won't be putting that on release even as alpha for the moment). see http://mkn.co.uk/help/policy/htmlext for more details. John --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell

...

...

...

Phree Phil: Email: zldf@clark.net http://www.netresponse.com/zldf <<<<<